Control: 5.3.4 Ensure that all 'privileged' role assignments are periodically reviewed
Description
Periodic review of privileged role assignments is performed to ensure that the privileged roles assigned to users are accurate and appropriate.
Privileged roles are crown jewel assets that can be used by malicious insiders, threat actors, and even through mistake to significantly damage an organization in numerous ways. These roles should be periodically reviewed to:
identify lingering permissions assignment (e.g. an administrator has been terminated, the administrator account is being retained, but the permissions are no longer necessary and has not been properly addressed by process)
detect lateral movement through privilege escalation (e.g. an account with administrative permission has been compromised and is elevating other accounts in an attempt to circumvent detection mechanisms)
Remediation
- From Azure Home select the Portal Menu.
- Select
Subscriptions. - Select a subscription.
- Select
Access control (IAM). - Look for the number under the word Privileged accompanied by a link titled
View Assignments.Click theView assignmentslink. - For each privileged role listed, evaluate whether the assignment is appropriate and current for each User, Group, or App assigned to each privileged role.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_5_3_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_5_3_4 --shareSQL
This control uses a named query:
select id as resource, 'info' as status, 'Manual verification required.' as reason, display_name as subscriptionfrom azure_subscription;